Re: When are security updates effective?
On Sat, Sep 02, 2006 at 10:37:04AM +0200, Rolf Kutz wrote:
> * Quoting Mikko Rapeli (mikko.rapeli@iki.fi):
> > I think it is relevant: should the effectiveness actions in general
> > be based on the host where the update was applied through lsof, package
> > dependencies provided and digitally signed by Debian, some other information
> > provided and digitally signed by the Debian security team in an
> > advisory or something else?
Or package installation scripts provided by the package maintainer.
> The problem here is that when the software has
> been exploited already, installing the security
> update doesn't fix the problem anymore.
Exploited to what extend? Without stack protection, address space
randomization, selinux etc, it's very difficult to know wether a
processes address space has been violated. And non-privileged processes
don't have write access to binary files on the system without additional
local root holes.
My point is: lsof may not be trustworthy on per host basis when making
security updates effective. The time between security bug publication and
applying the updates varies too much. If a Linux distro can do better
than Windows and not require full reboot after every update, I'd like to
see a confirmation of the steps required to make the update effective
from a source I trust anyway.
-Mikko
Reply to: